Add an AWS Account to Palette

Palette supports integration with Amazon Web Services (AWS) cloud accounts, including AWS Commercial cloud, GovCloud, Secret cloud, and Top Secret cloud. Once you add your AWS account to Palette, you can deploy clusters into the appropriate AWS cloud, all without leaving the Palette interface.

The following table summarizes which AWS clouds, cluster types, and authentication methods are supported by Palette and Palette VerteX.

AWS Cloud	Palette Enterprise	Palette VerteX	IaaS	EKS	Static Access	Dynamic (STS) Access	EKS Pod Identity	Secure Compliance Validation
AWS Commercial Cloud	✅	✅	✅	✅	✅	✅	✅	❌
AWS GovCloud	✅	✅	✅	✅	✅	✅	✅	❌
AWS Secret Cloud	❌	✅	❌	✅	✅	❌	❌	✅
AWS Top Secret Cloud	❌	✅	❌	✅	✅	❌	❌	✅

AWS Commercial Cloud

This section provides guidance on how to add an AWS Commercial cloud account to Palette or Palette VerteX using static or dynamic access credentials, as well as EKS Pod Identity.

Static Access Credentials

Use the steps below to add an AWS Commercial cloud account using static access credentials.

Prerequisites

• A Palette or Palette VerteX account with tenant admin access.

• An AWS account with an IAM user for Palette. The IAM user must be assigned the required IAM policies.

Enablement

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings menu, select Cloud Accounts.

4. Locate the AWS section and select Add AWS Account.

5. Fill out the following information.

   Parameter	Description
   Account Name	Enter a custom account name. The account name must be unique within the tenant scope.
   Description (Optional)	Enter a description for the cloud account.
   Partition	Select AWS.
   Credentials	Select Credentials to authenticate your AWS account using static access credentials for an IAM user.
   Access key	Enter your IAM user's access key. This is found in the Summary section of your AWS IAM > Users dashboard. Refer to Manage access keys for IAM users for more information on access keys.
   Secret access key	Enter your IAM user's secret access key that corresponds to the Access key. This key cannot be viewed or regenerated after the initial creation of your Access key. If you cannot retrieve your secret access key, you must create a new access key pair.

6. Validate your AWS credentials. A green check mark indicates valid credentials.

7. Once your credentials are verified, the Add IAM Policies toggle is displayed. Toggle Add IAM Policies on and use the Policies drop-down menu to select any desired IAM policies you want to assign to the Palette IAM user.
8. To deploy clusters to your AWS cloud through a Private Cloud Gateway (PCG), toggle Connect Private Cloud Gateway on and select a Private Cloud Gateway from the drop-down menu. The PCG must be deployed and registered with Palette or Palette VerteX at Tenant Settings > Private Cloud Gateway in order to select it.
9. Select Confirm to add your AWS account to Palette.

Validate

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings Menu, select Cloud Accounts.

4. Verify that your AWS account appears in the AWS section.

Dynamic Access Credentials

Use the steps below to add an AWS cloud account using dynamic Security Token Service (STS) credentials.

Prerequisites

• A Palette or Palette VerteX account with tenant admin access.

• An AWS account with the required IAM policies.

• The ability to create an IAM role that Palette can assume using STS. You will create the role while adding your AWS account to Palette or Palette VerteX.

• (Self-hosted Palette and Palette VerteX only) By default, adding AWS accounts using STS is disabled in self-hosted Palette and Palette VerteX. To allow tenants to add AWS accounts using STS, refer to the appropriate Enable Adding AWS Accounts Using STS - Palette or Enable Adding AWS Accounts Using STS - VerteX guide.

Enablement

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings menu, select Cloud Accounts.

4. Locate the AWS section and select Add AWS Account.

5. Fill out the following information.

   Palette Parameter	Description
   Account Name	Enter a custom account name. The account name must be unique within the tenant scope.
   Description (Optional)	Enter a description for the cloud account.
   Partition	Select AWS.
   STS	Select STS to authenticate your AWS account using STS credentials and reveal the ARN field.

6. When you select STS, the right side of the wizard populates with details on how to create an IAM role for Palette. Log in to your AWS account and begin the IAM role creation process by navigating to IAM > Roles > Create role. The following table expands on the information provided by the wizard.

   AWS Parameter	Description
   Trusted entity type	Select AWS account. In the An AWS account section, select Another AWS account.
   Account ID	Copy the Account ID displayed on the Palette wizard. If using a self-hosted instance, this is the same AWS account that you configured for your Palette or Palette VerteX instance to enable STS. Refer to the appropriate Enable Adding AWS Accounts Using STS - Palette or Enable Adding AWS Accounts Using STS - VerteX guide for more information.
   Require external ID	In the An AWS account section, below Options, select Require External ID.
   External ID	Copy the External ID displayed on the Palette wizard. This ID is generated by Palette and is different for each tenant.
   Permissions policies	Search for and select the required IAM policies: PaletteControllerPolicy, PaletteControlPlanePolicy, PaletteDeploymentPolicy, and PaletteNodesPolicy. If deploying EKS clusters, add the PaletteControllersEKSPolicy as well.
   Role name	In the Role details section, enter SpectroCloudRole for the Role name.

7. Your new role appears in the Roles list. Locate and select the new role. In the Summary section, copy the Amazon Resource Name (ARN) for the role.

8. In Palette, paste the role ARN into the ARN field.

9. Validate your AWS credentials. A green check mark indicates valid credentials.

10. Once your credentials are verified, the Add IAM Policies toggle is displayed. Toggle Add IAM Policies on and use the Policies drop-down menu to select any desired IAM policies you want to assign to the Palette IAM user.
11. To deploy clusters to your AWS cloud through a Private Cloud Gateway (PCG), toggle Connect Private Cloud Gateway on and select a Private Cloud Gateway from the drop-down menu. The PCG must be deployed and registered with at Tenant Settings > Private Cloud Gateway in order to select it.
12. Select Confirm to add your AWS account to Palette.

Validate

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings Menu, select Cloud Accounts.

4. Verify that your AWS account appears in the AWS section.

EKS Pod Identity

Palette supports EKS Pod Identity, which allows pods to securely access AWS services using short-lived credentials. This is achieved by associating an IAM role with a Kubernetes service account, enabling pods that use that service account to assume the IAM role and access AWS resources without needing to manage long-lived AWS credentials.

Limitations

• This authentication option is only available for self-hosted Palette or Palette VerteX instances deployed on Amazon EKS clusters.

• Only Amazon EKS clusters can be deployed as workload clusters when using EKS Pod Identity for authentication.

Prerequisites

• Self-hosted Palette or Palette VerteX deployed on an Amazon EKS cluster with Kubernetes version 1.24 or later.

  • A ConfigMap named palette-global-config must exist in the kube-system namespace with a managementClusterName key set to the EKS management cluster's name where Palette or Palette VerteX is deployed.

    If this key is missing, the fallback mechanism will obtain the cluster's name using IMDS and EC2 tags, but for this to work, the cluster must have only EKS managed node groups with a CNI plugin that does not block IMDS access from pods.

    Click to display kubectl commands to check for and create the ConfigMap

    1. Log in to the Local UI of the leader host of the Palette or Palette VerteX management cluster.

    2. On the Cluster page, under Environment, click on the Admin Kubeconfig File to download it to your local machine.

    3. On your local machine, open a terminal session and export the KUBECONFIG environment variable to point to the downloaded kubeconfig file.

       export KUBECONFIG=/path/to/downloaded/kubeconfig

    4. Use the following kubectl command to check if the palette-global-config ConfigMap already exists.

       kubectl describe configmap palette-global-config --namespace kube-system

       If the ConfigMap exists, the output will be similar to the following example.

       apiVersion: v1
       kind: ConfigMap
       metadata:
         name: palette-global-config
         namespace: kube-system
       data:
         managementClusterName: "palette-eks-management-cluster"

    5. If the ConfigMap does not exist, use the following kubectl command to create it. Replace <eks-management-cluster-name> with the name of your EKS management cluster where Palette or Palette VerteX is deployed.

       kubectl create configmap palette-global-config \
         --from-literal=managementClusterName="<eks-management-cluster-name>" \
         --namespace kube-system

  • The EKS Pod Identity Agent must be enabled on the Amazon EKS cluster. Refer to the Set up the Amazon EKS Pod Identity Agent guide for more information.

• Access to the Amazon EKS cluster's kubeconfig file. You must be able to use kubectl to perform validation steps on the cluster.

• A Palette account with tenant admin access.

• If you need your workload clusters to access AWS resources in the same AWS account as the EKS management cluster, three IAM roles must be created for Palette and two of its services.

  The following table lists the IAM roles that must be created. Create them in the order shown as some roles are referenced by others.

  Service	IAM Role Name Example
  Palette	SpectroCloudPaletteRole
  Hubble service	SpectroCloudHubbleRole
  Identity service	SpectroCloudIdentityRole

  The following tabs provide guidance on the trust policies and permissions policies that must be assigned to each IAM role. Create these IAM roles in the same AWS account as the EKS management cluster that hosts Palette or Palette VerteX.

  Palette IAM role

  • The following trust policy must be assigned to the IAM role created for Palette. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The required IAM policies must be assigned to the IAM role created for Palette.

  • In addition to the required IAM policies, the following permissions policy must also be assigned to the IAM role created for Palette.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM role

  • The following trust policy must be assigned to the IAM role created for the Hubble service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM role created for the Hubble service.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowIAMValidation",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEC2Describe",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeRouteTables",
            "ec2:DescribeKeyPairs"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEKSDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:DescribeNodegroup",
            "eks:ListNodegroups",
            "eks:DescribeAddon",
            "eks:ListAddons"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowKMSRead",
          "Effect": "Allow",
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus"
          ],
          "Resource": "*"
        }
      ]
    }

  Identity service IAM role

  • The following trust policy must be assigned to the IAM role created for the identity service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM role created for the identity service.

    • Replace <aws-account-id> with your AWS account ID.
    • Replace <role-name-for-palette-iam-role> with the name of the IAM role created for Palette (for example, SpectroCloudPaletteRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "EKSPodIdentityManagement",
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "EC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "IAM",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole"
          ],
          "Resource": [
            "arn:aws:iam::<aws-account-id>:role/<role-name-for-palette-iam-role>"
          ]
        },
        {
          "Sid": "IAMPassRoleforPodIdentity",
          "Effect": "Allow",
          "Action": [
            "iam:PassRole"
          ],
          "Resource": [
            "arn:aws:iam::<aws-account-id>:role/<role-name-for-palette-iam-role>"
          ]
        }
      ]
    }

• If you need your workload clusters to access AWS resources in different AWS accounts to the one where your EKS management cluster is deployed, cross-account IAM roles must be created for Palette and two of its services. Refer to the Amazon EKS documentation for more details about this requirement.

  The following table lists the IAM roles that must be created. Create them in the order shown as some roles are referenced by others.

  Service	IAM Role Name Example	Where to Create Role
  Identity service	SpectroCloudIdentityLocalRole	Same AWS account as EKS management cluster
  Palette	SpectroCloudPaletteTargetRole	Target AWS account for workload cluster resources
  Hubble service	SpectroCloudHubbleTargetRole	Target AWS account for workload cluster resources
  Hubble service	SpectroCloudHubbleLocalRole	Same AWS account as EKS management cluster

  The following tabs provide guidance on the trust policies and permissions policies that must be assigned to each IAM role.

  Identity service IAM local role

  You must create an IAM local role for the Palette identity service in two stages.

  1. Create the IAM local role with the trust policy outlined in this tab.
  2. After creation, assign the permissions policy outlined in this tab to the IAM local role.

  
  

  info

  These stages are required as the IAM local role ARN for the Palette identity service must be self-referenced in its own permissions policy. If the role is not created first, AWS will not be able to validate the policy.

  • The following trust policy must be assigned to the IAM local role created for the identity service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM local role created for the identity service.

    • Replace <target-aws-account-id> with the AWS account ID where the workload cluster resources are located.
    • Replace <role-name-for-palette-iam-local-role> with the name of the IAM role created for Palette in the target AWS account (for example, SpectroCloudPaletteTargetRole).
    • Replace <aws-management-cluster-account-id> with the AWS account ID where the EKS management cluster is deployed.
    • Replace <role-name-for-identity-service-iam-local-role> with the name of this IAM role created for the identity service (for example, SpectroCloudIdentityLocalRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "EKSPodIdentityManagement",
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "EC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "IAM",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:PassRole",
            "sts:AssumeRole",
            "sts:TagSession"
          ],
          "Resource": [
            "arn:aws:iam::<target-aws-account-id>:role/<role-name-for-palette-iam-local-role>",
            "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          ]
        }
      ]
    }

  Palette IAM target role

  • The following trust policy must be assigned to the IAM target role created for Palette. This trust policy is the same as outlined in the Amazon EKS documentation.

    • Replace <aws-management-cluster-account-id> with the AWS account ID where the EKS management cluster is deployed.
    • Replace <aws-management-cluster-region> with the AWS region where the EKS management cluster is deployed.
    • Replace <management-cluster-name> with the name of the EKS management cluster.
    • Replace <role-name-for-identity-service-iam-local-role> with the name of the IAM role created for the identity service (for example, SpectroCloudIdentityLocalRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/palette-identity/palette-identity"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringLike": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/*/palette-manager"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:TagSession"
        },
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The required IAM policies must be assigned to the IAM target role created for Palette.

  • In addition to the required IAM policies, the following permissions policy must also be assigned to the IAM target role created for Palette.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM target role

  • The following trust policy must be assigned to the IAM target role created for the Hubble service. Replace the following templated values with your own values.

    • <aws-management-cluster-account-id>: The AWS account ID where the EKS management cluster is deployed.
    • <aws-management-cluster-region>: The AWS region where the EKS management cluster is deployed.
    • <management-cluster-name>: The name of the EKS management cluster.
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/spectro-hubble-identity"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/hubble-system/spectro-hubble"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/spectro-hubble-identity"
          },
          "Action": "sts:TagSession"
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM target role created for the Hubble service.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowIAMValidation",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEC2Describe",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeRouteTables",
            "ec2:DescribeKeyPairs"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEKSDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:DescribeNodegroup",
            "eks:ListNodegroups",
            "eks:DescribeAddon",
            "eks:ListAddons"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowKMSRead",
          "Effect": "Allow",
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus"
          ],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM local role

  • The following trust policy must be assigned to the IAM local role created for Hubble service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM local role created for Hubble service.

    • Replace the <target-aws-account-id> placeholder with the AWS account ID where the workload cluster resources are located.
    • Replace the <hubble-service-iam-target-role> placeholder with the name of the IAM role created for the Hubble service in the target AWS account (for example, SpectroCloudHubbleTargetRole).
    
    

    {
      "Action": [
        "iam:GetRole",
        "iam:PassRole",
        "sts:AssumeRole",
        "sts:TagSession"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam::<target-aws-account-id>:role/<hubble-service-iam-target-role>"
      ],
      "Sid": "IAM"
    }

• The IAM roles created for the Palette Hubble service and Palette identity service must have pod identity associations with the following Kubernetes service accounts. This is not required for the IAM role created for Palette itself.

  Palette Service	Kubernetes Namespace	Kubernetes Service Account
  Hubble	hubble-system	spectro-hubble
  Identity service	palette-identity	palette-identity

  Click to display example AWS CLI commands to create pod identity associations

  Use the commands in the appropriate tab below depending on whether your workload clusters need to access AWS resources in the same AWS account as the EKS management cluster, or in different AWS accounts.

  Same AWS Account

  Use the following AWS CLI command to create a pod identity association for the Palette Hubble service in the same AWS account as the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS cluster.
  • Replace <aws-account-id> with your AWS account ID.
  • Replace <hubble-service-iam-role-name> with the name of the IAM role created for the Palette Hubble service (for example, SpectroCloudHubbleRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace hubble-system \
  --service-account spectro-hubble \
  --role-arn arn:aws:iam::<aws-account-id>:role/<hubble-service-iam-role-name>

  Similarly, use the following AWS CLI command to create a pod identity association for the Palette identity service in the same AWS account as the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS Cluster.
  • Replace <aws-account-id> with your AWS account ID.
  • Replace <identity-service-iam-role-name> with the name of the IAM role created for the Palette identity service (for example, SpectroCloudIdentityRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace palette-identity \
  --service-account palette-identity \
  --role-arn arn:aws:iam::<aws-account-id>:role/<identity-service-iam-role-name>

  Different AWS Accounts

  Use the following AWS CLI command to create a pod identity association for the Palette Hubble service that needs to access AWS resources in a different AWS account to the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS cluster.
  • Replace <aws-management-cluster-account-id> with the AWS account ID where your EKS management cluster is located.
  • Replace <hubble-service-iam-local-role-name> with the name of the IAM role created for the Palette Hubble service (for example, SpectroCloudHubbleLocalRole).
  • Replace <target-aws-account-id> with the AWS account ID where the workload cluster resources are located.
  • Replace <hubble-service-iam-target-role-name> with the name of the IAM role created for the Hubble service in the target AWS account (for example, SpectroCloudHubbleTargetRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace hubble-system \
  --service-account spectro-hubble \
  --role-arn arn:aws:iam::<aws-management-cluster-account-id>:role/<hubble-service-iam-local-role-name>
  --target-role-arn arn:aws:iam::<target-aws-account-id>:role/<hubble-service-iam-target-role-name>

  Similarly, use the following AWS CLI command to create a pod identity association for the Palette identity service that needs to access AWS resources in a different AWS account to the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS Cluster.
  • Replace <aws-management-cluster-account-id> with the AWS account ID where your EKS management cluster is located.
  • Replace <identity-service-iam-local-role-name> with the name of the IAM role created for the Palette identity service (for example, SpectroCloudIdentityLocalRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace palette-identity \
  --service-account palette-identity \
  --role-arn arn:aws:iam::<aws-management-cluster-account-id>:role/<identity-service-iam-local-role-name>

Enablement

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings menu, select Cloud Accounts.

4. Locate the AWS section and select Add AWS Account.

5. Fill out the following information.

   Palette Parameter	Description
   Account Name	Enter a custom account name. The account name must be unique within the tenant scope.
   Description (Optional)	Enter a description for the cloud account.
   Partition	Select AWS.
   EKS Pod Identity	Select EKS Pod Identity to authenticate your AWS account using the EKS Pod Identity method and reveal the ARN field.

6. In the AWS console, navigate to IAM > Roles, and select the new IAM role created for Palette (for example,SpectroCloudRole). In the Summary section, copy the Amazon Resource Name (ARN) for the role.

7. In Palette, paste the role ARN into the ARN field.

8. Validate your AWS credentials. A green check mark indicates valid credentials.

   The Add IAM Policies option appears after successful validation. Leave this blank, as the required IAM policies have already been assigned to the IAM role created for Palette (for example, SpectroCloudRole).

9. (Optional) To set a permission boundary, toggle Add Permission Boundary on and provide the ARN of a IAM policy or role in the Permission Boundary ARN field.

10. Select Confirm to add your AWS account to Palette.

Validate

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings menu, select Cloud Accounts.

4. Verify that your AWS account appears in the AWS section.

5. Open a terminal session and ensure you have access to the kubeconfig file for the Amazon EKS cluster where Palette or Palette VerteX is deployed. Set the KUBECONFIG environment variable to point to the file.

   export KUBECONFIG=/path/to/kubeconfig/file

6. Issue the following kubectl commands to verify that EKS Pod Identity has set the required environment variables for the spectro-hubble and palette-identity pods.

   kubectl get pods --namespace hubble-system --selector app=spectro-hubble -ojsonpath='{.items[0].spec.containers[0].env[*].name}' | tr ' ' '\n' | grep AWS_CONTAINER

   kubectl get pods --namespace palette-identity --selector app=palette-identity -ojsonpath='{.items[0].spec.containers[0].env[*].name}' | tr ' ' '\n' | grep AWS_CONTAINER

   The output from both commands should include the following environment variables indicating that Amazon EKS has injected the necessary configuration for EKS Pod Identity.

   AWS_CONTAINER_CREDENTIALS_FULL_URI
   AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE

AWS GovCloud

Palette and Palette VerteX support deploying Kubernetes clusters to AWS GovCloud. This section provides guidance on how to add an AWS GovCloud account to Palette using static or dynamic access credentials, as well as EKS Pod Identity.

Static Access Credentials

Use the steps below to add an AWS GovCloud account using static access credentials.

Prerequisites

• A Palette or Palette VerteX account with tenant admin access.

• An AWS account with an IAM user for Palette. The IAM user must be assigned the required IAM policies.

Enablement

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings menu, select Cloud Accounts.

4. Locate the AWS section and select Add AWS Account.

5. Fill out the following information.

   Parameter	Description
   Account Name	Enter a custom account name. The account name must be unique within the tenant scope.
   Description (Optional)	Enter a description for the cloud account.
   Partition	Select AWS US Gov.
   Credentials	Select Credentials to authenticate your AWS account using static access credentials for an IAM user.
   Access key	Enter your IAM user's access key. This is found in the Summary section of your AWS IAM > Users dashboard. Refer to Manage access keys for IAM users for more information on access keys.
   Secret access key	Enter your IAM user's secret access key that corresponds to the Access key. This key cannot be viewed or regenerated after the initial creation of your Access key. If you cannot retrieve your secret access key, you must create a new access key pair.

6. Validate your AWS credentials. A green check mark indicates valid credentials.

7. Once your credentials are verified, the Add IAM Policies toggle is displayed. Toggle Add IAM Policies on and use the Policies drop-down menu to select any desired IAM policies you want to assign to the Palette IAM user.
8. To deploy clusters to your AWS cloud through a Private Cloud Gateway (PCG), toggle Connect Private Cloud Gateway on and select a Private Cloud Gateway from the drop-down menu. The PCG must be deployed and registered with Palette or Palette VerteX at Tenant Settings > Private Cloud Gateway in order to select it.
9. Select Confirm to add your AWS account to Palette.

Validate

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings Menu, select Cloud Accounts.

4. Verify that your AWS account appears in the AWS section.

Dynamic Access Credentials

Use the steps below to add an AWS GovCloud account using dynamic STS credentials.

Prerequisites

• A Palette or Palette VerteX account with tenant admin access.

• An AWS account with the required IAM policies.

• The ability to create an IAM role that Palette can assume using STS. You will create the role while adding your AWS account to Palette or Palette VerteX.

• (Self-hosted Palette and Palette VerteX only) By default, adding AWS accounts using STS is disabled in self-hosted Palette and Palette VerteX. To allow tenants to add AWS accounts using STS, refer to the appropriate Enable Adding AWS Accounts Using STS - Palette or Enable Adding AWS Accounts Using STS - VerteX guide.

Enablement

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings menu, select Cloud Accounts.

4. Locate the AWS section and select Add AWS Account.

5. Fill out the following information.

   Palette Parameter	Description
   Account Name	Enter a custom account name. The account name must be unique within the tenant scope.
   Description (Optional)	Enter a description for the cloud account.
   Partition	Select AWS US Gov.
   STS	Select STS to authenticate your AWS account using STS credentials and reveal the ARN field.

6. When you select STS, the right side of the wizard populates with details on how to create an IAM role for Palette. Log in to your AWS account and begin the IAM role creation process by navigating to IAM > Roles > Create role. The following table expands on the information provided by the wizard.

   AWS Parameter	Description
   Trusted entity type	Select AWS account. In the An AWS account section, select Another AWS account.
   Account ID	Copy the Account ID displayed on the Palette wizard. If using a self-hosted instance, this is the same AWS account that you configured for your Palette or Palette VerteX instance to enable STS. Refer to the appropriate Enable Adding AWS Accounts Using STS - Palette or Enable Adding AWS Accounts Using STS - VerteX guide for more information.
   Require external ID	In the An AWS account section, below Options, select Require External ID.
   External ID	Copy the External ID displayed on the Palette wizard. This ID is generated by Palette and is different for each tenant.
   Permissions policies	Search for and select the required IAM policies: PaletteControllerPolicy, PaletteControlPlanePolicy, PaletteDeploymentPolicy, and PaletteNodesPolicy. If deploying EKS clusters, add the PaletteControllersEKSPolicy as well.
   Role name	In the Role details section, enter SpectroCloudRole for the Role name.

7. Your new role appears in the Roles list. Locate and select the new role. In the Summary section, copy the Amazon Resource Name (ARN) for the role.

8. In Palette, paste the role ARN into the ARN field.

9. Validate your AWS credentials. A green check mark indicates valid credentials.

10. Once your credentials are verified, the Add IAM Policies toggle is displayed. Toggle Add IAM Policies on and use the Policies drop-down menu to select any desired IAM policies you want to assign to the Palette IAM user.
11. To deploy clusters to your AWS cloud through a Private Cloud Gateway (PCG), toggle Connect Private Cloud Gateway on and select a Private Cloud Gateway from the drop-down menu. The PCG must be deployed and registered with Palette or Palette VerteX at Tenant Settings > Private Cloud Gateway in order to select it.
12. Select Confirm to add your AWS account to Palette.

Validate

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings Menu, select Cloud Accounts.

4. Verify that your AWS account appears in the AWS section.

EKS Pod Identity

Palette supports EKS Pod Identity, which allows pods to securely access AWS services using short-lived credentials. This is achieved by associating an IAM role with a Kubernetes service account, enabling pods that use that service account to assume the IAM role and access AWS resources without needing to manage long-lived AWS credentials.

Limitations

• This authentication option is only available for self-hosted Palette or Palette VerteX instances deployed on Amazon EKS clusters.

• Only Amazon EKS clusters can be deployed as workload clusters when using EKS Pod Identity for authentication.

Prerequisites

• Self-hosted Palette or Palette VerteX deployed on an Amazon EKS cluster with Kubernetes version 1.24 or later.

  • A ConfigMap named palette-global-config must exist in the kube-system namespace with a managementClusterName key set to the EKS management cluster's name where Palette or Palette VerteX is deployed.

    If this key is missing, the fallback mechanism will obtain the cluster's name using IMDS and EC2 tags, but for this to work, the cluster must have only EKS managed node groups with a CNI plugin that does not block IMDS access from pods.

    Click to display kubectl commands to check for and create the ConfigMap

    1. Log in to the Local UI of the leader host of the Palette or Palette VerteX management cluster.

    2. On the Cluster page, under Environment, click on the Admin Kubeconfig File to download it to your local machine.

    3. On your local machine, open a terminal session and export the KUBECONFIG environment variable to point to the downloaded kubeconfig file.

       export KUBECONFIG=/path/to/downloaded/kubeconfig

    4. Use the following kubectl command to check if the palette-global-config ConfigMap already exists.

       kubectl describe configmap palette-global-config --namespace kube-system

       If the ConfigMap exists, the output will be similar to the following example.

       apiVersion: v1
       kind: ConfigMap
       metadata:
         name: palette-global-config
         namespace: kube-system
       data:
         managementClusterName: "palette-eks-management-cluster"

    5. If the ConfigMap does not exist, use the following kubectl command to create it. Replace <eks-management-cluster-name> with the name of your EKS management cluster where Palette or Palette VerteX is deployed.

       kubectl create configmap palette-global-config \
         --from-literal=managementClusterName="<eks-management-cluster-name>" \
         --namespace kube-system

  • The EKS Pod Identity Agent must be enabled on the Amazon EKS cluster. Refer to the Set up the Amazon EKS Pod Identity Agent guide for more information.

• Access to the Amazon EKS cluster's kubeconfig file. You must be able to use kubectl to perform validation steps on the cluster.

• A Palette account with tenant admin access.

• If you need your workload clusters to access AWS resources in the same AWS account as the EKS management cluster, three IAM roles must be created for Palette and two of its services.

  The following table lists the IAM roles that must be created. Create them in the order shown as some roles are referenced by others.

  Service	IAM Role Name Example
  Palette	SpectroCloudPaletteRole
  Hubble service	SpectroCloudHubbleRole
  Identity service	SpectroCloudIdentityRole

  The following tabs provide guidance on the trust policies and permissions policies that must be assigned to each IAM role. Create these IAM roles in the same AWS account as the EKS management cluster that hosts Palette or Palette VerteX.

  Palette IAM role

  • The following trust policy must be assigned to the IAM role created for Palette. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The required IAM policies must be assigned to the IAM role created for Palette.

  • In addition to the required IAM policies, the following permissions policy must also be assigned to the IAM role created for Palette.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM role

  • The following trust policy must be assigned to the IAM role created for the Hubble service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM role created for the Hubble service.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowIAMValidation",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEC2Describe",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeRouteTables",
            "ec2:DescribeKeyPairs"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEKSDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:DescribeNodegroup",
            "eks:ListNodegroups",
            "eks:DescribeAddon",
            "eks:ListAddons"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowKMSRead",
          "Effect": "Allow",
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus"
          ],
          "Resource": "*"
        }
      ]
    }

  Identity service IAM role

  • The following trust policy must be assigned to the IAM role created for the identity service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM role created for the identity service.

    • Replace <aws-account-id> with your AWS account ID.
    • Replace <role-name-for-palette-iam-role> with the name of the IAM role created for Palette (for example, SpectroCloudPaletteRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "EKSPodIdentityManagement",
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "EC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "IAM",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole"
          ],
          "Resource": [
            "arn:aws:iam::<aws-account-id>:role/<role-name-for-palette-iam-role>"
          ]
        },
        {
          "Sid": "IAMPassRoleforPodIdentity",
          "Effect": "Allow",
          "Action": [
            "iam:PassRole"
          ],
          "Resource": [
            "arn:aws:iam::<aws-account-id>:role/<role-name-for-palette-iam-role>"
          ]
        }
      ]
    }

• If you need your workload clusters to access AWS resources in different AWS accounts to the one where your EKS management cluster is deployed, cross-account IAM roles must be created for Palette and two of its services. Refer to the Amazon EKS documentation for more details about this requirement.

  The following table lists the IAM roles that must be created. Create them in the order shown as some roles are referenced by others.

  Service	IAM Role Name Example	Where to Create Role
  Identity service	SpectroCloudIdentityLocalRole	Same AWS account as EKS management cluster
  Palette	SpectroCloudPaletteTargetRole	Target AWS account for workload cluster resources
  Hubble service	SpectroCloudHubbleTargetRole	Target AWS account for workload cluster resources
  Hubble service	SpectroCloudHubbleLocalRole	Same AWS account as EKS management cluster

  The following tabs provide guidance on the trust policies and permissions policies that must be assigned to each IAM role.

  Identity service IAM local role

  You must create an IAM local role for the Palette identity service in two stages.

  1. Create the IAM local role with the trust policy outlined in this tab.
  2. After creation, assign the permissions policy outlined in this tab to the IAM local role.

  
  

  info

  These stages are required as the IAM local role ARN for the Palette identity service must be self-referenced in its own permissions policy. If the role is not created first, AWS will not be able to validate the policy.

  • The following trust policy must be assigned to the IAM local role created for the identity service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM local role created for the identity service.

    • Replace <target-aws-account-id> with the AWS account ID where the workload cluster resources are located.
    • Replace <role-name-for-palette-iam-local-role> with the name of the IAM role created for Palette in the target AWS account (for example, SpectroCloudPaletteTargetRole).
    • Replace <aws-management-cluster-account-id> with the AWS account ID where the EKS management cluster is deployed.
    • Replace <role-name-for-identity-service-iam-local-role> with the name of this IAM role created for the identity service (for example, SpectroCloudIdentityLocalRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "EKSPodIdentityManagement",
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "EC2",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "IAM",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:PassRole",
            "sts:AssumeRole",
            "sts:TagSession"
          ],
          "Resource": [
            "arn:aws:iam::<target-aws-account-id>:role/<role-name-for-palette-iam-local-role>",
            "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          ]
        }
      ]
    }

  Palette IAM target role

  • The following trust policy must be assigned to the IAM target role created for Palette. This trust policy is the same as outlined in the Amazon EKS documentation.

    • Replace <aws-management-cluster-account-id> with the AWS account ID where the EKS management cluster is deployed.
    • Replace <aws-management-cluster-region> with the AWS region where the EKS management cluster is deployed.
    • Replace <management-cluster-name> with the name of the EKS management cluster.
    • Replace <role-name-for-identity-service-iam-local-role> with the name of the IAM role created for the identity service (for example, SpectroCloudIdentityLocalRole).
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/palette-identity/palette-identity"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringLike": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/*/palette-manager"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/<role-name-for-identity-service-iam-local-role>"
          },
          "Action": "sts:TagSession"
        },
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The required IAM policies must be assigned to the IAM target role created for Palette.

  • In addition to the required IAM policies, the following permissions policy must also be assigned to the IAM target role created for Palette.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "eks:ListPodIdentityAssociations",
            "eks:CreatePodIdentityAssociation",
            "eks:DeletePodIdentityAssociation"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM target role

  • The following trust policy must be assigned to the IAM target role created for the Hubble service. Replace the following templated values with your own values.

    • <aws-management-cluster-account-id>: The AWS account ID where the EKS management cluster is deployed.
    • <aws-management-cluster-region>: The AWS region where the EKS management cluster is deployed.
    • <management-cluster-name>: The name of the EKS management cluster.
    
    

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/spectro-hubble-identity"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<aws-management-cluster-region>/<aws-management-cluster-account-id>/<management-cluster-name>/hubble-system/spectro-hubble"
            }
          }
        },
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<aws-management-cluster-account-id>:role/spectro-hubble-identity"
          },
          "Action": "sts:TagSession"
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM target role created for the Hubble service.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowIAMValidation",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "iam:GetPolicy",
            "iam:GetPolicyVersion"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEC2Describe",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeRegions",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeVpcs",
            "ec2:DescribeSubnets",
            "ec2:DescribeRouteTables",
            "ec2:DescribeKeyPairs"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowEKSDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:DescribeCluster",
            "eks:ListClusters",
            "eks:DescribeNodegroup",
            "eks:ListNodegroups",
            "eks:DescribeAddon",
            "eks:ListAddons"
          ],
          "Resource": "*"
        },
        {
          "Sid": "AllowKMSRead",
          "Effect": "Allow",
          "Action": [
            "kms:ListKeys",
            "kms:ListAliases",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus"
          ],
          "Resource": "*"
        }
      ]
    }

  Hubble service IAM local role

  • The following trust policy must be assigned to the IAM local role created for Hubble service. This trust policy is the same as outlined in the Amazon EKS documentation.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
          "Effect": "Allow",
          "Principal": {
            "Service": "pods.eks.amazonaws.com"
          },
          "Action": ["sts:AssumeRole", "sts:TagSession"]
        }
      ]
    }

  • The following permissions policy must be assigned to the IAM local role created for Hubble service.

    • Replace the <target-aws-account-id> placeholder with the AWS account ID where the workload cluster resources are located.
    • Replace the <hubble-service-iam-target-role> placeholder with the name of the IAM role created for the Hubble service in the target AWS account (for example, SpectroCloudHubbleTargetRole).
    
    

    {
      "Action": [
        "iam:GetRole",
        "iam:PassRole",
        "sts:AssumeRole",
        "sts:TagSession"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam::<target-aws-account-id>:role/<hubble-service-iam-target-role>"
      ],
      "Sid": "IAM"
    }

• The IAM roles created for the Palette Hubble service and Palette identity service must have pod identity associations with the following Kubernetes service accounts. This is not required for the IAM role created for Palette itself.

  Palette Service	Kubernetes Namespace	Kubernetes Service Account
  Hubble	hubble-system	spectro-hubble
  Identity service	palette-identity	palette-identity

  Click to display example AWS CLI commands to create pod identity associations

  Use the commands in the appropriate tab below depending on whether your workload clusters need to access AWS resources in the same AWS account as the EKS management cluster, or in different AWS accounts.

  Same AWS Account

  Use the following AWS CLI command to create a pod identity association for the Palette Hubble service in the same AWS account as the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS cluster.
  • Replace <aws-account-id> with your AWS account ID.
  • Replace <hubble-service-iam-role-name> with the name of the IAM role created for the Palette Hubble service (for example, SpectroCloudHubbleRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace hubble-system \
  --service-account spectro-hubble \
  --role-arn arn:aws:iam::<aws-account-id>:role/<hubble-service-iam-role-name>

  Similarly, use the following AWS CLI command to create a pod identity association for the Palette identity service in the same AWS account as the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS Cluster.
  • Replace <aws-account-id> with your AWS account ID.
  • Replace <identity-service-iam-role-name> with the name of the IAM role created for the Palette identity service (for example, SpectroCloudIdentityRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace palette-identity \
  --service-account palette-identity \
  --role-arn arn:aws:iam::<aws-account-id>:role/<identity-service-iam-role-name>

  Different AWS Accounts

  Use the following AWS CLI command to create a pod identity association for the Palette Hubble service that needs to access AWS resources in a different AWS account to the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS cluster.
  • Replace <aws-management-cluster-account-id> with the AWS account ID where your EKS management cluster is located.
  • Replace <hubble-service-iam-local-role-name> with the name of the IAM role created for the Palette Hubble service (for example, SpectroCloudHubbleLocalRole).
  • Replace <target-aws-account-id> with the AWS account ID where the workload cluster resources are located.
  • Replace <hubble-service-iam-target-role-name> with the name of the IAM role created for the Hubble service in the target AWS account (for example, SpectroCloudHubbleTargetRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace hubble-system \
  --service-account spectro-hubble \
  --role-arn arn:aws:iam::<aws-management-cluster-account-id>:role/<hubble-service-iam-local-role-name>
  --target-role-arn arn:aws:iam::<target-aws-account-id>:role/<hubble-service-iam-target-role-name>

  Similarly, use the following AWS CLI command to create a pod identity association for the Palette identity service that needs to access AWS resources in a different AWS account to the EKS management cluster.

  • Replace <eks-cluster-name> with the name of your Amazon EKS Cluster.
  • Replace <aws-management-cluster-account-id> with the AWS account ID where your EKS management cluster is located.
  • Replace <identity-service-iam-local-role-name> with the name of the IAM role created for the Palette identity service (for example, SpectroCloudIdentityLocalRole).

  
  

  aws eks create-pod-identity-association \
  --cluster-name <eks-cluster-name> \
  --namespace palette-identity \
  --service-account palette-identity \
  --role-arn arn:aws:iam::<aws-management-cluster-account-id>:role/<identity-service-iam-local-role-name>

Enablement

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings menu, select Cloud Accounts.

4. Locate the AWS section and select Add AWS Account.

5. Fill out the following information.

   Palette Parameter	Description
   Account Name	Enter a custom account name. The account name must be unique within the tenant scope.
   Description (Optional)	Enter a description for the cloud account.
   Partition	Select AWS US Gov.
   EKS Pod Identity	Select EKS Pod Identity to authenticate your AWS account using the EKS Pod Identity method and reveal the ARN field.

6. In the AWS console, navigate to IAM > Roles, and select the new IAM role created for Palette (for example,SpectroCloudRole). In the Summary section, copy the Amazon Resource Name (ARN) for the role.

7. In Palette, paste the role ARN into the ARN field.

8. Validate your AWS credentials. A green check mark indicates valid credentials.

   The Add IAM Policies option appears after successful validation. Leave this blank, as the required IAM policies have already been assigned to the IAM role created for Palette (for example, SpectroCloudRole).

9. (Optional) To set a permission boundary, toggle Add Permission Boundary on and provide the ARN of a IAM policy or role in the Permission Boundary ARN field.

10. Select Confirm to add your AWS account to Palette.

Validate

1. Log in to Palette or Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings menu, select Cloud Accounts.

4. Verify that your AWS account appears in the AWS section.

5. Open a terminal session and ensure you have access to the kubeconfig file for the Amazon EKS cluster where Palette or Palette VerteX is deployed. Set the KUBECONFIG environment variable to point to the file.

   export KUBECONFIG=/path/to/kubeconfig/file

6. Issue the following kubectl commands to verify that EKS Pod Identity has set the required environment variables for the spectro-hubble and palette-identity pods.

   kubectl get pods --namespace hubble-system --selector app=spectro-hubble -ojsonpath='{.items[0].spec.containers[0].env[*].name}' | tr ' ' '\n' | grep AWS_CONTAINER

   kubectl get pods --namespace palette-identity --selector app=palette-identity -ojsonpath='{.items[0].spec.containers[0].env[*].name}' | tr ' ' '\n' | grep AWS_CONTAINER

   The output from both commands should include the following environment variables indicating that Amazon EKS has injected the necessary configuration for EKS Pod Identity.

   AWS_CONTAINER_CREDENTIALS_FULL_URI
   AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE

AWS Secret Cloud (SC2S) and Top Secret Cloud (C2S)

You can add AWS Secret and Top Secret cloud accounts in Palette VerteX to deploy AWS EKS clusters in AWS Secret and Top Secret clouds. Depending on your organization's compliance requirements, you can register your AWS cloud account using either standard authentication (access key and secret access key pairs for IAM users) or secure compliance validation (SC2S Access Portal (SCAP) or C2S Access Portal (CAP) credentials).

tech preview

This is a Tech Preview feature and is subject to change. Do not use this feature in production workloads.

Limitations

• Only AWS EKS clusters clusters can be deployed in AWS Secret and Top Secret clouds. AWS IaaS clusters are not supported.

• User-provided Certificate Authority (CA) certificates are not automatically mounted on worker nodes in EKS clusters that are deployed in AWS Secret and Top Secret clouds. As a result, applications or services that rely on custom CAs for Transport Layer Security (TLS) communication may fail to establish secure connections, and integrations with external services that require custom CAs may encounter Secure Socket Layer (SSL) or TLS verification issues.

  • Workloads requiring custom CAs for internal trust validation must use an alternative configuration, such as using a sidecar container to provide the CA certificate at runtime or embedding the CA certificate within the application. For guidance on embedding certificates within applications, refer to the official Kubernetes documentation on using Secrets as files from a Pod and creating pods that access Secret data through a Volume.

Static Access Credentials

Use the steps below to add an AWS Secret or Top Secret cloud account using static access credentials.

Prerequisites

• Palette VerteX installed.

• A Palette VerteX account with tenant admin access.

• An AWS account with an IAM user for Palette. The IAM user must be assigned the required IAM policies.

• The AwsSecretPartition feature flag enabled in the Palette VerteX system console.

• The Certificate Authority (CA) certificate (root, intermediate, or chain of trust) for your AWS Secret or Top Secret cloud account in PEM-encoded format.

• A secure connection to your AWS Secret Cloud or Top Secret Cloud account, such as via a Private Cloud Gateway (PCG), Wide Area Network (WAN) tunnel, or AWS Private Link.

Enablement

1. Log in to Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings menu, select Cloud Accounts.

4. Locate the AWS section and select Add AWS Account.

5. Fill out the following information.

   Parameter	Description
   Account Name	Enter a custom account name. The account name must be unique within the tenant scope.
   Description (Optional)	Enter a description for the cloud account.
   Partition	Select either AWS US Secret or AWS US Top Secret.
   Credentials	Select Credentials to authenticate your AWS account using static access credentials.
   Secure Compliance Validation	Keep disabled to use static access credentials.
   Access key	Enter your IAM user's access key. This is found in the Summary section of your AWS IAM > Users dashboard. Refer to Manage access keys for IAM users for more information on access keys.
   Secret access key	Enter your IAM user's secret access key that corresponds to the Access key. This key cannot be viewed or regenerated after the initial creation of your Access key. If you cannot retrieve your secret access key, you must create a new access key pair.
   Certificate Authority	Paste the PEM-encoded root, intermediate, or chain of trust CA certificate for your AWS Secret or Top Secret cloud account.

6. Validate your AWS credentials. A green check mark indicates valid credentials.

7. Once your credentials are verified, the Add IAM Policies toggle is displayed. Toggle Add IAM Policies on and use the Policies drop-down menu to select any desired IAM policies you want to assign to the Palette IAM user.
8. To deploy clusters to your AWS cloud through a Private Cloud Gateway (PCG), toggle Connect Private Cloud Gateway on and select a Private Cloud Gateway from the drop-down menu. The PCG must be deployed and registered with Palette VerteX at Tenant Settings > Private Cloud Gateway in order to select it.
9. Select Confirm to add your AWS account to Palette.

Validate

1. Log in to Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings Menu, select Cloud Accounts.

4. Verify that your AWS account appears in the AWS section.

Secure Compliance Validation Credentials

Use the steps below to add an AWS Secret or Top Secret cloud account using CAP/SCAP credentials.

Prerequisites

• Palette VerteX installed.

• A Palette VerteX account with tenant admin access.

• The AwsSecretPartition feature flag enabled in the Palette VerteX system console.

• An AWS Secret or Top Secret account configured for CAP/SCAP access. Your CAP/SCAP administrator must provide the target Agency, Account, and CAP/SCAP role values. The CAP/SCAP role must be assigned the required IAM policies.

• A Non-Person Entity (NPE) (service identity) provisioned and authorized to access the target Agency, Account, and CAP/SCAP role.

• A trusted client certificate and private key issued for the NPE and mapped to the NPE identity in your organization’s identity access management system. This is required for CAP/SCAP to authenticate and authorize the certificate identity.

• The CA certificate (root, intermediate, or chain of trust) and private key in PEM-encoded format.

• A secure connection to your AWS Secret Cloud or Top Secret Cloud account, such as via a Private Cloud Gateway (PCG), WAN tunnel, or AWS Private Link.

Enablement

1. Log in to Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings menu, select Cloud Accounts.

4. Locate the AWS section and select Add AWS Account.

5. Fill out the following information.

   Parameter	Description
   Account Name	Enter a custom account name. The account name must be unique within the tenant scope.
   Description (Optional)	Enter a description for the cloud account.
   Partition	Select either AWS US Secret or AWS US Top Secret.
   Credentials	Select Credentials.
   Secure Compliance Validation	Enable Secure Compliance Validation to authenticate with your CAP/SCAP credentials.
   Agency Name	Enter the CAP/SCAP agency name.
   Account Name	Enter the CAP/SCAP account name or number.
   CAP/SCAP Role Name	Enter the role name provided by the CAP/SCAP administrator. This role determines the AWS permissions granted to the account.
   Role Prefix (Optional)	Choose a prefix to standardize role names. If no prefix is provided, a default prefix of PROJECT_ is used. For example, if the initial role name is DevOpsRole, the full role name would be PROJECT_DevOpsRole. Note: The role name, including the prefix, cannot exceed 64 characters.
   Permission Boundary (Optional)	If you want to apply a permission boundary and limit the maximum permissions a role or user can have, provide the IAM policy ARN. Refer to Permissions boundaries for IAM entities for additional information.
   Certificate Authority	Paste the CA certificate chain (root and intermediates) that signs the CAP/SCAP endpoint certificate or is required to validate the TLS chain. The chain must be in PEM-encoded format.
   User Certificate	Paste the NPE certificate in PEM-encoded format.
   User Key	Paste the NPE certificate private key in PEM-encoded format.

   Palette VerteX is configured to work with CAP/SCAP endpoints for US regions. Users who need alternate endpoints can change these configurations on their self-hosted Palette VerteX installation.

   Custom CAP/SCAP endpoints

   1. Open a terminal on a host that can connect to the Palette VerteX management cluster. kubectl must be installed on the host.

   2. Download the Palette VerteX management cluster's Kubeconfig file.

   3. Open a terminal window and set the environment variable KUBECONFIG to point to the file you downloaded.

      export KUBECONFIG=<path-to-downloaded-kubeconfig-file>

   4. Use the following command to set a custom endpoint. Replace <customized-endpoint-url> with your own value.

      AWS Secret Cloud

      kubectl --namespace hubble-system set env deployment/cloud CUSTOM_ISO_URL="<customized-endpoint-url>"

      AWS Top Secret Cloud

      kubectl --namespace hubble-system set env deployment/cloud CUSTOM_ISOB_URL="<customized-endpoint-url>"

   5. Verify the change was applied.

      kubectl --namespace hubble-system get deploy cloud --output jsonpath='{.spec.template.spec.containers[*].env}'
      Example output

      [{"name":"CUSTOM_ISO_URL","value":"<customized-endpoint-url>"}]

6. Validate your AWS credentials. A green check mark indicates valid credentials.

7. Once your credentials are verified, the Add IAM Policies toggle is displayed. Toggle Add IAM Policies on and use the Policies drop-down menu to select any desired IAM policies you want to assign to the Palette IAM user.
8. To deploy clusters to your AWS cloud through a Private Cloud Gateway (PCG), toggle Connect Private Cloud Gateway on and select a Private Cloud Gateway from the drop-down menu. The PCG must be deployed and registered with Palette VerteX at Tenant Settings > Private Cloud Gateway in order to select it.
9. Select Confirm to add your AWS account to Palette.

Validate

1. Log in to Palette VerteX as a tenant admin.

2. From the left main menu, select Tenant Settings.

3. From the Tenant Settings Menu, select Cloud Accounts.

4. Verify that your AWS account appears in the AWS section.

Next Steps

Now that you have added an AWS account to Palette, you can start deploying Kubernetes clusters to your AWS account. To learn how to get started with deploying Kubernetes clusters to AWS, check out the following guides:

• Create and Manage AWS IaaS Cluster
• Create and Manage AWS EKS Cluster
• EKS Hybrid Nodes